Question

Are Kubernetes secrets encrypted on disk?

Posted July 22, 2019 2.9k views
SecurityDigitalOceanKubernetes

I found this interesting statement about GKE:

In a default Kubernetes installation, Kubernetes secrets are stored in etcd in plaintext. In GKE, this is managed for you: GKE encrypts these secrets on disk, and monitors this data for insider access.

(Source: https://cloud.google.com/blog/products/containers-kubernetes/exploring-container-security-encrypting-kubernetes-secrets-with-cloud-kms)

How does DigitalOcean store Kubernetes secrets? In plaintext or encrypted?

edited by MattIPv4

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
1 answer

Hi there!

DOKS does not have etcd secrets encrypted at rest. This is something the DOKS team is aware of and plans to discuss.

Regards,

John Kwiatkoski
Senior Developer Support Engineer

  • Hello John,

    Privacy is key for us and we are very concerned about this topic.
    Do you have an expectation when DO will have a cloud KMS implementation ready for customers, please?

    Regards,

    Richard Gomes

    • I apologize as I misspoke before. I just got this update from engineering:

      “All data in etcd is encrypted at rest on the backend and always has been. Additionally encrypting secrets within etcd, and was released in these versions:
      1.16.3-do.3
      1.14.8-do.3
      1.15.5-do.3

      Secrets get encrypted on upgrade to those versions for existing clusters.”

      I hope that answers your issues. Let me know if you have any further questions.

      Regards,

      John Kwiatkoski
      Senior Developer Support Engineer - Kubernetes

      • Hi John,

        Can DO engineers read secrets in managed kubernetes dashboard? Reason I ask is all the secrets can be seen in DOKS in clear text in kube dashboard after connecting to dashboard from DO account.

        • Hi raymak,

          Engineering doesn’t have access to secrets via the k8s API/dashboard. When we generate a kubeconfig for debugging it uses a role that doesn’t allow access to secrets and the secrets are encrypted in etcd, so we can’t read them at rest.

          That being said, technically the small group of engineers on the DOKS team can read secrets, but not via “normal” means. This would require direct access to the master droplet of which only select few hold the SSH keys to do that and that operation is outside of the “normal” triage steps for customer issues.

          Hope that helps clear things up!

          Regards,

          John

          • That helps a lot. Thanks John for clarification.

          • Hi John

            Just to be absolutely clear:

            1. whenever a secret is created it’s automatically encrypted?
            2. which provider is used?
            3. the fact that we can see the values in the Dashboard means that they’re just decrypted on that view?

            Is there any actual information/proof about this or is this just something we’ll have to hope for is like how you say? :)

            Thanks
            Boris